The Hacker News — Cyber Security, Hacking, Technology News

A Russian man accused of infecting tens of thousands of computer servers worldwide to generate millions in illicit profit has finally entered a guilty plea in the United States and is going to face sentencing in August.

Maxim Senakh, 41, of Velikii Novgorod, Russia, pleaded guilty in a US federal court on Tuesday for his role in the development and maintenance of the infamous Linux botnet known as Ebury that siphoned millions of dollars from victims worldwide.

Senakh, who was detained by Finland in August 2015 and extradition to the US in January 2016, admitted to installing Ebury malware on computer servers worldwide, including thousands in the United States.

First spotted in 2011, Ebury is an SSH backdoor Trojan for Linux and Unix-style operating systems, like FreeBSD or Solaris, which infected more than 500,000 computers and 25,000 dedicated servers in a worldwide malware campaign called 'Operation Windigo.'

Ebury backdoor gives attackers full shell control of infected machines remotely even if passwords for affected user accounts are changed on a regular basis.

Ebury botnet network of thousands of compromised Linux systems had the capacity of sending over 35 million spam messages and redirecting more than 500,000 Web visitors to exploit kits every day.

According to the US Department of Justice, Senakh, along with the criminal organization, used Ebury to create and operate a botnet that would "generate and redirect internet traffic in furtherance of various click-fraud and spam e-mail schemes, which fraudulently generated millions of dollars in revenue."

Senakh also admitted to personally profiting from the Ebury botnet. He is scheduled to be sentenced on 3rd August 2017, after pleading guilty to a conspiracy to violate the Computer Fraud and Abuse Act.
Senakh faces up to a combined 30 years in prison.

Ebury first came into the news in 2011 after Donald Ryan Austin, 27, of El Portal, Florida, installed Ebury on multiple servers owned by kernel.org and the Linux Foundation, which is used to maintain and distribute the Linux operating system kernel.

Austin, with no connection to the Ebury criminal organization, was arrested last year in September and charged with four counts of "intentional transmission causing damage to a protected computer."

Security researchers have discovered a highly nasty Linux trojan that has been used by cybercriminals in state sponsored attack in order to steal personal, confidential information from government institutions, military and pharmaceutical companies around the world.

A previously unknown piece of a larger puzzle called "Turla," one of the most complex Advanced Persistent Threats (APTs) uncovered by researchers at Kaspersky Lab in August, remained hidden on some systems for at least four years. The malware was notable for its use of a rootkit that made it extremely hard to detect.

The German security company G Data believed that Turla campaign is linked to Russia and has in the past exploited a variety of Windows vulnerabilities, at least two of which were zero-days, to infect government institutions, embassies, military, education, research, and pharmaceutical companies in more than 45 countries.

Recently, security researchers from Moscow-based Kaspersky Lab have detected the first Turla sample targeting Linux operating system. This Linux component of malware points towards a much bigger threat than it was previously thought and it may also herald the discovery of more infected systems.

"The newly discovered Turla sample is unusual in the fact that it's the first Turla sample targeting the Linux operating system that we have discovered," Kaspersky researcher Kurt Baumgartner said in an advisory. "We suspect that this component was running for years at a victim site, but do not have concrete data to support that statement just yet."

The modules of the Linux-based Turla malware is written in C and C++ languages and contains code from previously written libraries. The malware uses hidden network communication and stripped of symbol information, which makes it hard for researchers to reverse engineer or analyze.

As a result, the Linux-based Turla trojan may have capabilities that have not yet been uncovered completely, as Baumgartner said the Linux component is a mystery even after its discovery, adding it can't be detected using the common Netstat command.

In order to hide itself, the backdoor sits inactive until hackers send it unusually crafted packets that contain "magic numbers" in their sequence numbers. The malware have ability to sit unnoticed on victims computers for years. The trojan contained attack functionalities including arbitrary remote command execution, incoming packet interception and remote management even though it requires no root system privileges.

Earlier this year, Kaspersky Labs researches suggested Turla as Snake, which was built on the capabilities of Agent.Biz, the worm that came to the surface in 2008 when US Department of Defense sources claimed that its classified networks had been breached by an early version of the same virus, described by officials as the "worst breach of US military computers in history." Uroburos rootkit was also one of the components of Snake campaign.

Agent.Biz has since been developed with many advanced features that make it even more flexible and sophisticated than before. It was thought to have inspired other nasty malware creations including Flame and Guass.